The Human Factor: Why Are We So Bad at Security and Risk Assessment?

Presented at BSidesLV 2017, July 25, 2017, 5 p.m. (55 minutes).

How does the science of human perception and decision making influence the security sector? How can we use information about how people make decisions to create more successful security professionals? In the 1970s, "fringe" psychologists began to question the phenomenon of decision making, seeking to understand the mechanism by which individuals will make seemingly unfathomable choices in the face of obvious deterrents. When one has any personal stake in a situation (e.g. what to eat for dinner or who to vote for) our ability to take stock and react reasonably becomes nearly non-existent. There are numerous academic studies on decision-making and perception whose insights have been applied to various industries over the years with surprising success. Why do we make unintelligent choices? Why are we are so overwhelmingly deficient at risk assessment? This session will explore how the science of decision making applies to the security sector, empowering attendees to walk away with a better understanding of how these concepts can be leveraged to build more robust and useful security tools, as well as more successful training models. Supported by the research of Nobel prize-winning psychologist Daniel Kahneman, I will introduce these techniques and discuss how they can help security in several practical ways.

Presenters:

  • John Nye - VP, Cybersecurity Strategy - CynergisTek, Inc.
    John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye's specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).

Links:

Similar Presentations: